From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6741460933745311744
X-Received: by 2002:a5d:67c5:: with SMTP id n5mr1904768wrw.72.1571071127057;
        Mon, 14 Oct 2019 09:38:47 -0700 (PDT)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:adf:b7cd:: with SMTP id t13ls5649804wre.5.gmail; Mon, 14 Oct
 2019 09:38:46 -0700 (PDT)
X-Google-Smtp-Source: APXvYqz8imgxq2zc6qpiPN8iWaoPpPin3YZMzilBosw80UOjH9IN/XGHT+pQYK1jJJrfkyBS7V5c
X-Received: by 2002:a5d:5052:: with SMTP id h18mr18903943wrt.143.1571071126617;
        Mon, 14 Oct 2019 09:38:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1571071126; cv=none;
        d=google.com; s=arc-20160816;
        b=o3Fo0aaxc8I1luzd1Cs8JJLLCUSwIQUJ5Qc4aNcvUcFbal19vqQEfLu6pPi26INY0P
         TBfQ4jrYvYk6oE0+IIFNukjSYa65jH8fimkujomvhW4CADJ/jKLucFxNzBGsw+m25VWL
         1Ykcjev/SfLika+B/JhuxliWSVORm2P1/woWR+2gkrZMrehrqk7KMfp7rxijvmUhDHsM
         VxnMN8246ETkglKR2nVK9vBL++CFF5oQN/qffDbhUHudJ+7PlXENazzlli5qEPN0LYsN
         4bo9XO3TQNDto/KZdd2AX0lJy589dpr3ATQEklsytDLLLBm19W4rer0TkuePWrLFdZuZ
         dZzw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date;
        bh=Q49+uN8bsN8iAOO3vvg1jB3VyouKXA2qAmKolP9PYJc=;
        b=Z/KL514NGudSEaDowXAqvpVljGI3bM+LKt03vxwCqf/NF/cZbaaK8PEgIB6JeS2M+/
         qDAcoi3wgki3nm0rANQEMznlEaIyqUNyPykALA8C2sBd18g/7NT+kfeRA95qw70WUvJT
         XjJZqTi5LqacU6bk5YN4qNqKxkfCwSN1KKRflZxz3RTGyGBJUXGeLXYs4aMczwP6cq98
         gykqpYkenlA+zNBOdwhE7H3RQfYi7bDTTJfszxmv1P/ruJZxkMYIZLHyCcyzcp0blB8U
         gfFAX+9+MfhQg9XHqjPxXrg7+itRQZTixul8DPs8DUNB2TAB4rOrDRP5f/YVngsr5V0y
         NKJg==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=henning.schild@siemens.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
Return-Path: <henning.schild@siemens.com>
Received: from lizzard.sbs.de (lizzard.sbs.de. [194.138.37.39])
        by gmr-mx.google.com with ESMTPS id s65si593750wme.2.2019.10.14.09.38.46
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 14 Oct 2019 09:38:46 -0700 (PDT)
Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) client-ip=194.138.37.39;
Authentication-Results: gmr-mx.google.com;
       spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=henning.schild@siemens.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35])
	by lizzard.sbs.de (8.15.2/8.15.2) with ESMTPS id x9EGckYD026304
	(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Mon, 14 Oct 2019 18:38:46 +0200
Received: from md1za8fc.ad001.siemens.net ([139.25.0.8])
	by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id x9EGcjju007735;
	Mon, 14 Oct 2019 18:38:45 +0200
Date: Mon, 14 Oct 2019 18:38:45 +0200
From: Henning Schild <henning.schild@siemens.com>
To: Jan Kiszka <jan.kiszka@siemens.com>
Cc: <vijaikumar.kanagarajan@gmail.com>, <isar-users@googlegroups.com>,
        <claudius.heine.ext@siemens.com>, <Amy_Fong@mentor.com>,
        Vijai Kumar K
 <Vijaikumar_Kanagarajan@mentor.com>
Subject: Re: [PATCH] base-apt: Use gpg keyid instead of yes
Message-ID: <20191014183845.095f7182@md1za8fc.ad001.siemens.net>
In-Reply-To: <49311e01-52f4-0ae8-ac95-a297e1343a20@siemens.com>
References: <20190927211112.29379-1-Vijaikumar_Kangarajan@mentor.com>
	<49311e01-52f4-0ae8-ac95-a297e1343a20@siemens.com>
X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-TUID: 8zwOkbDg/ha8

Am Mon, 30 Sep 2019 08:17:00 +0200
schrieb Jan Kiszka <jan.kiszka@siemens.com>:

> On 27.09.19 23:11, vijaikumar.kanagarajan@gmail.com wrote:
> > From: Vijai Kumar K <Vijaikumar_Kanagarajan@mentor.com>
> > 
> > When using "SignWith: yes", reprepro uses the default gpg key
> > of the system to sign the repo. The default gpg key might be
> > different from what is specified in BASE_REPO_KEY, resulting
> > in using a wrong key for signing.
> > 
> > Derive and use the keyid from the keyfile supplied instead of
> > a generic yes option.
> > 
> > Suggested-by: Amy Fong <Amy_Fong@mentor.com>
> > Signed-off-by: Vijai Kumar K <Vijaikumar_Kanagarajan@mentor.com>
> > ---
> >   meta/recipes-devtools/base-apt/base-apt.bb | 22
> > +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3
> > deletions(-)
> > 
> > diff --git a/meta/recipes-devtools/base-apt/base-apt.bb
> > b/meta/recipes-devtools/base-apt/base-apt.bb index 74189f1..c74be86
> > 100644 --- a/meta/recipes-devtools/base-apt/base-apt.bb
> > +++ b/meta/recipes-devtools/base-apt/base-apt.bb
> > @@ -4,6 +4,7 @@
> >   SRC_URI = "file://distributions.in"
> >   
> >   BASE_REPO_KEY ?= ""
> > +KEYFILES ?= ""
> >   
> >   CACHE_CONF_DIR = "${REPO_BASE_DIR}/${BASE_DISTRO}/conf"
> >   do_cache_config[dirs] = "${CACHE_CONF_DIR}"
> > @@ -12,13 +13,18 @@ do_cache_config[lockfiles] =
> > "${REPO_BASE_DIR}/isar.lock" 
> >   # Generate reprepro config for current distro if it doesn't
> > exist. Once it's # generated, this task should do nothing.
> > -do_cache_config() {
> > +repo_config() {
> >       if [ ! -e "${CACHE_CONF_DIR}/distributions" ]; then
> >           sed -e "s#{CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \
> >               ${WORKDIR}/distributions.in >
> > ${CACHE_CONF_DIR}/distributions
> > -        if [ "${BASE_REPO_KEY}" ] ; then
> > +        if [ -n "${KEYFILES}" ]; then
> > +            option=""
> > +            for key in ${KEYFILES}; do
> > +                keyid=$(cat ${key} | gpg --keyid-format 0xlong
> > --with-colons - 2>/dev/null |grep "^pub:" |awk -F':' '{print
> > $5;}')  
> 
> I hope this parsing is stable...

It looks ok, the format args used are meant for parsing.

But i would like to point out the useless use of cat.
Plus an inconsistent use of spaces around pipes.

Henning

> 
> > +                option="${option}${keyid} "
> > +            done
> >               # To generate Release.gpg
> > -            echo "SignWith: yes" >> ${CACHE_CONF_DIR}/distributions
> > +            echo "SignWith: ${option}" >>
> > ${CACHE_CONF_DIR}/distributions fi
> >       fi
> >   
> > @@ -35,4 +41,14 @@ do_cache_config() {
> >       fi
> >   }
> >   
> > +python do_cache_config() {
> > +    for key in d.getVar('BASE_REPO_KEY').split():
> > +        d.appendVar("SRC_URI", " %s" % key)
> > +        fetcher = bb.fetch2.Fetch([key], d)  
> 
> I wonder if that magically addresses the case that changing key file
> content should also trigger rebuilds. Similar to
> https://github.com/ilbers/isar/issues/60.
> 
> > +        filename = fetcher.localpath(key)
> > +        d.appendVar("KEYFILES", " %s" % filename)
> > +
> > +    bb.build.exec_func('repo_config', d)
> > +}
> > +
> >   addtask cache_config after do_build
> >   
> 
> Looks good - if the keyid extraction if actually robust.
> 
> Jan
>